Password security - Another idea

Jonathan I. Kamens jik at athena.mit.edu
Tue Jan 10 05:37:50 AEST 1989


In article <674 at ihnet.ATT.COM> tjr at ihnet.ATT.COM (Tom Roberts) writes:
>Analysis: The range of security exposures has been changed significantly;
>you will no longer be open to password guessing attacks, because such attacks
>will be using a dictionary, not your random password. Your exposure is now
>similar to the exposures you routinely subject your house keys and credit
>cards to.  Is your computer account more valuable than your house or bank
>account? With this method you also have a very good likelihood of detecting a
>breach of your password (e.g. your wallet was stolen), and can take corrective
>measures (change your password).

There is one major problem (that i can see) with this scenario.  If I
have chosen a password on my own, one that I can remember easily, then
the only time I think about it is when I type it when I login, and at
that point it is completely invisible to me and to anyone else looking
over my shoulder (unless they watch my fingers type it -- a good
reason to type quickly and pick a password that can be typed quickly
:-).

However, if I select a complete random password and then write it down
on a slip of paper which I keep in my wallet, then I'm not likely to
remember the password (especially if I'm a casual user, which is what
many of the people who don't select secure passwords are), so I have
to take that paper out of my wallet and look at it every time I login.
How long do you think it's going to be before someone surreptitiously
glances over my shoulder when I take it out to look at it and
therefore gets my password?

>The only difficulty I know of in this method is that users may not protect
>the paper as well as they protect their keys and credit cards. I do not
>know how to address this problem.

There is no question about this.  People will *not* protect their
password the way you are claiming they will.  This has been proven
time and time again.  I consider it much more secure to have an
easy-to-remember password in the computer than to have a
hard-to-remember password in someone's wallet.

Just my two cents worth....

  Jonathan Kamens
  MIT Project Athena



More information about the Comp.unix.wizards mailing list